Last Updated on June 14, 2017

It’s time to publish the first timeline of May covering the main cyber attacks occurred between the 1st and 15th, as you will discover (and probably remember), for sure one of the worst months ever…

So May did not start very well with the massive phishing campaign targeting Gmail users and using oauth to spread virally (for the first time in such a massive scale). Final damage report: more than one million accounts compromised. And if this was not enough, things went worse and WannaCry did the rest, with an unprecedented outbreak (74 countries), which could have been much worse without the presence of the infamous kill-switch domain.

Of course all this mess did not stop the crooks from carrying out other massive attacks against Bell Canada (1.9 million accounts compromised) and Edmodo.

Other noticeable events include: the cyber attacks against Sabre Corp. and Docusign, and an SS7 attack against German O2-Telefonica users.

The list of the cyber espionage operations is also quite reach and include: a new wave of attacks from the infamous Turla (AKA Snake AKA Uroburos), the discovery of a RAT dubbed KONNI and targeting assets related to North Korea since at least 3 years, Operation WilySuply, targeting the supply chain of the designated victims, a new attack against Emmanuel Macron’s staff, the discovery of a new actor dubbed APT32 AKA OceanLotus Group, and the return of OilRig.

If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015 and 2016 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts), and if useful, you can access the timeline in Google Sheet format.

102/05/2017?Gannett Co.A phishing email attack potentially compromises the accounts of as many as 18,000 current and former employees of media company Gannett Co.Account HijackingIndustry: MediaCCUS
202/05/2017?HandBrakeThe popular DVD-ripping HandBrake app, is hacked to install a new variant of the Proton malware.MalwareOrg: Non-ProfitCCFR
302/05/2017?Android usersSophos reveals the details of Super Free Music Player, a fake music player app in the Google Play Store, downloaded by thousands of users since March 31st, and riddled with malware.Mobile MalwareSingle IndividualsCC>1
402/05/2017?UK BanksDomainTools reveals that hundreds of fake website domains are being used by hackers to mimic some of the most popular banking services in the UK in an attempt to trick victims into handing over personal details and sensitive login credentials.Domain SquattingFinanceCCUK
502/05/2017?Sabre Corp. Hospitality UnitTravel industry giant Sabre Corp. disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments.MalwareIndustry: Travel TechnologyCCUS
602/05/2017?City of FitchburgFitchburg, Mass. city officials report that the Social Security numbers of 1,800 residents were compromised during a data breach that was discovered on April 14, but took place more than three years ago.UnknownGovernmentCCUS
702/05/2017?Wellington's Victoria UniversityStudents and staff of Wellington's Victoria University have been warned their usernames and passwords may have been compromised following a data breach following an unauthorised access to the university's IT systems.UnknownEducationCCNZ
803/05/2017?Gmail usersA massive phishing campaign hits Google users and compromises about a million of its accounts exploiting a fake app abusing the Oauth authentication protocol.Account Hijacking via OauthSingle IndividualsCC>1
903/05/2017?German O2-Telefonica usersO2-Telefonica in Germany confirms to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.Account Hijacking via SS7 VulnerabilitySingle IndividualsCCDE
1003/05/2017Snake AKA Turla, AKA UroburosOSX UsersFox-it reveals that the infamous threat actor Snake (AKA Turla, AKA Uroburos) is back and ready to target OSX users.Targeted AttackSingle IndividualsCE>1
1103/05/2017?Assets related to North KoreaResearchers from Cisco Talos reveal the details of an unknown Remote Administration Tool, dubbed KONNI, in use, undetected, for over 3 years.Targeted Attack>1CE>1
1203/05/2017SkyscraperMultiple targetsApproximately 500,000 pediatric medical records, many from doctors' offices that didn't know they had been breached, are spotted for sale on the dark web.UnknownHealthcareCCUS
1303/05/2017TuftsLeaksTufts UniversityA group calling itself TuftsLeaks publishes documents online that contain sensitive financial information from Tufts. The leak includes department budgets, the salaries of thousands of staff and faculty and the ID numbers of student employees with salaries listed.UnknownEducationCCUS
1404/05/2017TheDarkOverlordAesthetic Dentistry OC Gastrocare Tampa Bay Surgery CenterTheDarkOverlord dumps 180,000 patients’ records from 3 hacks. The victims are: Aesthetic Dentistry, OC Gastrocare, Tampa Bay Surgery CenterUnknownHealthcareCCUS
1504/05/2017?Several high-profile technology and financial organizationsMicrosoft reveals the details of Operation WilySuply, a sophisticated campaign exploiting the software remote update channel of the supply chain as an attack vector.Targeted AttackSeveral high-profile technology and financial organizationsCE>1
1604/05/2017?Charlotte Flair VictoriaWWE divas Charlotte Flair and Victoria are the latest victims of the Celebgate leak.UnknownSingle IndividualsCCUS
1705/05/2005?DebenhamsMalware infects the backend systems used by British high street chain Debenhams, and steals 26,000 people's personal information in the process. The hack happened after compromising the systems at Ecomnova, the firm that runs the Debenhams Flowers business, for six weeks.MalwareIndustry: RetailCCUK
1806/05/2005?Emmanuel Macron's StaffThe French presidential candidate Emmanuel Macron is targeted by a “massive and coordinated” hacking attack, hours before voters go to the polls. Tens of thousands of internal emails and other documents (9Gb) are released online.UnknownOrg: Political PartyCCFR
1906/05/2005?Confluence Charter SchoolsThe network servers for Confluence Charter Schools are hacked, but school leadership say there is no evidence that student or employee data have been compromised.UnknownEducationCCUS
2007/05/2017?FCC (Federal Communications Commission)The FCC website is hit by a DDoS Attack.DDoSGovernmentCCUS
2108/05/2017?Multiple targetsBitdefender reveals the details of Netpreser, a cyber espionage campaign carried on using readily available software tools.Malware>1CE>1
2209/05/2017?FranceFrance's central bank warns of an increase in phishing attempts using its name and logo and email addresses purporting to be Bank of France ones.Account HijackingSingle IndividualsCCFR
2309/05/2017Authors from Iran?IP CamerasTrend Micro reveals the details of Persirai, a new IoT botnet targeting IP cameras.Malware>1CC>1
2409/05/2017? (linked to North Korea?)Unnamed TargetCylance reveals the details of Paipeu, an unknown malware used as an infostealer.Targeted AttackN/ACEN/A
2510/05/2017?CedexisA DDos attack against Cedexis knocks out several major French news websites including Le Monde and Le Figaro.DDoSIndustry: Content Deliver NetworkCCUS
2611/05/2017An unidentified group, APT28 and TurlaMultiple targetsSecurity vendors ESET and FireEye this week issued separate advisories on cyberattacks involving the use of three Microsoft zero-day flaws: CVE-2017-0261, CVE-2017-0262, CVE-2017-0263. The attacks are carried on by an unidentified group and also by APT28 and Turla.Targeted Attack>1CE>1
2711/05/2017Russian ForcesUkrainian SoldiersUkrainian soldiers are hit by an ongoing campaign of propaganda-texting. The campaign is attributed to Russian forces equipped with cell site simulators (IMSI-catchers).Cell Site Simulators (IMSI-catchers)MilitaryCWUA
2811/05/2017nclay?EdmodoA hacker steals millions of user account details from popular education platform Edmodo, and the data is apparently for sale on the so-called dark web. The organization claims to have over 78 million members.UnknownIndustry: Educational TechnologyCCUS
2912/05/2017?Multiple targetsThe WannaCrypt ransomware worm, aka WanaCrypt or Wcry, explodes across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco (Telefonica), and more organizations.Malware>1CC>1
3012/05/2017?National University of Singapore (NUS) Nanyang Technological University (NTU)Reports emerge that the two Singapore universities suffered APT (advanced persistent threat) attacks last month, with the attackers specifically targeting government and research data.Targeted AttackEducationCESG
3112/05/2017Brooks BrothersU.S. clothing company Brooks Brothers reveals that payment card information of certain customers were compromised at some of its retail locations in the United States and Puerto Rico over 11 months until March.PoS MalwareIndustry: ClothesCCUS
3212/05/2017?Multiple targetsResearchers at Cylance reveal a new advanced threat, dubbed Baijiu, which uses heightened interest in North Korea and the GeoCities web service to prey on victims.Targeted Attack>1CE>1
3314/05/2017APT32 AKA OceanLotus GroupMultiple Targets with Interests in VietnamFireEye reveals the details of Operation Cobalt Kitty, a campaign carried on by APT32, an advanced threat group that conducts targeted intrusions at large multinational businesses with interests in Vietnam.Targeted Attack>1CE>1
3415/05/2017?Bell CanadaBell Canada says that 1.9 million customer account details have been stolen by unknown hackers, although no payment card numbers or passwords have been taken.UnknownIndustry: TelcoCCCA
3515/05/2017?DocusignDocuSign acknowledges that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems.UnknownIndustry: SaaSCCUS
3615/05/2017OilRig?Unnamed Military ContractorTrapX reveals to have repelled an attack against an unnamed military contractor carried on by Iranian hackers using a Russian Toolset.Targeted AttackIndustry: Defense ContractorCEUS
3715/05/2017?University of New Mexico FoundationA month after discovering a computer server breach that may have compromised personal information for about 23,000 people, the University of New Mexico Foundation begins sending notification letters about the incident.UnknownEducationCCUS

This Post Has 3 Comments

  1. Fraser Dawson

    Hi Paulo!

    I am trying to figure out where your statistics come from, but I cannot see a source anywhere..?


    1. Paolo Passeri

      The statistics come frome the Timelines.

  2. outofc0ntr0l

    again appears to be an issue with the google Sheet mate. Thanks for the data I enjoy using this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.